Gartner Report for SBOMs: Key Takeaways You Should Know

Gartner Report for SBOMs: Key Takeaways You Should Know

In its recent Innovation Insight for SBOMs report,* Gartner highlights the benefits of using software bills of materials (SBOMs) to secure modern, fast-paced DevOps pipelines. SBOMs shed light on blind spots in the software supply chain by enumerating all proprietary and open source components and enable the effective mitigation of risks. Without this visibility, organizations’ software supply chains are left exposed to potential security vulnerabilities, quality issues, and compliance risks.

Improving software supply chain security with an SBOM

These days, attackers are increasingly targeting software development systems, open source artifacts, and DevOps pipelines to compromise software supply chains and the downstream organizations that they’re associated with. The holes in the software delivery process were on display with the recent discovery of the Apache Log4j vulnerability.

In the face of the growing number and sophistication of these attacks, organizations must develop a solid offensive and defensive software supply chain security strategy. To mitigate the variety of supply chain risks, Gartner recommends the adoption of SBOMs:

"SBOMs improve the visibility, transparency, security, and integrity of proprietary and open source code in software supply chains. To realize these benefits, software engineering leaders should integrate SBOMs throughout the software delivery life cycle."

twitter_link_icon Share on Twitter

Three elements for SBOM functionality

The Gartner report outlines the minimum foundations for an SBOM, as issued by the US Department of Commerce and the National Telecommunications and Information Administration (NTIA). This foundation consists of three key sections:

Data fields

According to the NTIA, these fields should enable sufficient identification of components to track them across the supply chain and map them to other beneficial sources of data, such as vulnerability databases or license databases. Fields such as supplier name, component name, version of component, dependency relationship, and author of SBOM data are commonly provided.

Automation support

This section identifies three reporting formats that organizations must use when they transmit SBOMs across organizational boundaries. The NTIA selected them because each is human-readable, machine-readable, and interoperable for the core data fields and uses common data syntax representations. The formats identified are Software Package Data Exchange (SPDX), CycloneDX, and Software Identification (SWID) Tags.

Practices and processes

The NTIA outlines six requirements for how and when SBOMs should be updated and delivered. SBOMs must be created each time the software component is updated with a new build or release and should include both top-level components and their dependencies. On top of this, the requirements include guidelines for managing known unknowns, distribution and delivery, access control, and accommodation of mistakes.

These three elements are required for companies that work with the US federal government. However, it’s recommended that enterprises of all sizes adopt them as good software hygiene.

The need for SBOMs

In a complex DevSecOps environment, with multiple teams and rapid release cycles, it’s challenging to have full visibility into the potential risks in the software supply chain. SBOMs can help organizations reduce those risks. They provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.

As modern cloud native applications continue to be built using a multitude of open source components across the software development life cycle, SBOMs have become vital to the authenticity of the software supply chain.

Try an SBOM with Aqua’s Argon supply chain security

As the leading software supply chain security company and pioneer in the market, Argon, now an Aqua Security company, was the first to release its SBOM manifest solution as part of the code-tampering prevention in the patent-pending Code Integrity Engine in 2021. The Argon SBOM manifest enables teams to identify dependencies and detect key risks in the artifact development process. This allows the implementation of a strict security evaluation of artifacts and the effective mitigation of security threats once discovered.

To learn more about SBOMs, read the full Gartner report. If you’re ready to get started with SBOMs to enrich your DevSecOps process, try Argon.

Gartner Report Innovation Insight for SBOMs

*Gartner, Innovation Insight for SBOMs, Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

 
Picture of Eilon Elhadad

Eilon Elhadad

Eilon is the CEO and Co-Founder of Argon Security, an Aqua company. During his service in the elite 8200 Unit in the Israeli Intelligence Corps, he was leading development projects in the field of defensive cybersecurity and targeted cyber threats. Eilon finished his service with the rank of Captain. He holds a B.Sc. and M.Sc. in computer science and is a graduate of Mamram. Prior to Argon, Eilon co-founded Paidit. When he is not working, he enjoys spending time with his friends and doing sports.

Software Supply Chain Security, SBOMs

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...